Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps Draft Guidance This guidance document is being distributed for comment purposes only. Comments and suggestions regarding this draft document should be submitted within 90 days of publication in the Federal Register of the notice announcing the availability of the draft guidance. Submit comments to Dockets Management Branch (HFA-305), Food and Drug Administration, 5630 Fishers Lane, room 1061, Rockville, MD 20852. All comments should be identified with the docket number 00D-1542. For questions regarding this draft document contact Paul J. Motise, Office of Enforcement, Office of Regulatory Affairs, 301-827-0383, e-mail: pmotise@ora.fda.gov. U.S. Department of Health and Human Services Food and Drug Administration Office of Regulatory Affairs (ORA) Center for Biologics Evaluation and Research (CBER) Center for Drug Evaluation and Research (CDER) Center for Devices and Radiological Health (CDRH) Center for Food Safety and Applied Nutrition (CFSAN) Center for Veterinary Medicine (CVM) February 2002
Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps Additional copies of this draft guidance document are available from the Office of Enforcement, HFC-200, 5600 Fishers Lane, Rockville, MD 20857; Internet http://www.fda.gov/ora/compliance_ref/part11/default.htm U.S. Department of Health and Human Services Food and Drug Administration Office of Regulatory Affairs (ORA) Center for Biologics Evaluation and Research (CBER) Center for Drug Evaluation and Research (CDER) Center for Devices and Radiological Health (CDRH) Center for Food Safety and Applied Nutrition (CFSAN) Center for Veterinary Medicine (CVM) February 2002 ii
Guidance For Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps Table of Contents 1. Purpose...1 2. Scope...2 2.1. Applicability...2 2.2. Audience...3 3. Definitions and Terminology...3 4. Regulatory Requirements; What Does Part 11 Require?...3 5. Key Principles and Practices...4 5.1. Time Stamp Accuracy...4 5.2. Systems Clock Security...5 5.3. Time Zones...6 5.4. Expression of Date and Time...8 5.5. Precision of Date and Time Expressions...8 6. Other Uses of Time Stamps In Electronic Recordkeeping...9 iii
Guidance For Industry 1 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps This draft guidance, when finalized, will represent the Food and Drug Administration s (FDA s) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. An alternative approach may be used if such approach satisfies the requirements of applicable statutes and regulations. 1. Purpose The purpose of this draft guidance is to describe the Food and Drug Administration's (FDA s) current thinking regarding the time stamp requirements of Part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures. It provides guidance to industry, and is intended to assist persons who are subject to the rule to comply with the regulation. It may also assist FDA staff who apply part 11 to persons who are subject to the regulation. 1 This draft guidance was prepared under the aegis of the Office of Enforcement by the FDA Part 11 Compliance Committee. The committee is composed of representatives from each center within the Food and Drug Administration, the Office of Chief Counsel, and the Office of Regulatory Affairs. 1
2. Scope This draft guidance is one of a series of guidances about part 11. We intend to provide information with respect to FDA's current thinking on acceptable ways of meeting part 11 requirements to ensure that electronic records and electronic signatures are trustworthy, reliable, and compatible with FDA's public health responsibilities. This draft guidance focuses on time stamps applied by computer systems and identifies key principles and practices regarding time stamps. 2.1. Applicability This draft guidance applies to electronic records and electronic signatures that persons create, modify, maintain, archive, retrieve, or transmit under any records or signature requirement set forth in the Federal Food, Drug, and Cosmetic Act (the Act), the Public Health Service Act (PHS Act), or any FDA regulation. Any requirements set forth in the Act, the PHS Act, or any FDA regulation, with the exception of part 11, are referred to in this document as predicate rules. Most predicate rules are contained in Title 21 of the Code of Federal Regulations. In general, predicate rules address the research, production, and control of FDA regulated articles, and fall into several broad categories. Examples of such categories include, but are not limited to, manufacturing practices, laboratory practices, clinical and pre-clinical research, adverse event reporting, product tracking, and pre and post marketing submissions and reports. 2
2.2. Audience We intend this draft guidance to provide useful information and recommendations to: Persons subject to part 11; Persons responsible for implementing time stamps in electronic record and electronic signature systems; and, Persons who develop products or services to enable implementation of part 11 requirements; This draft guidance may also assist FDA staff who apply part 11 to persons subject to the regulation. 3. Definitions and Terminology Unless otherwise specified below, all terms used in this draft guidance are defined in FDA s draft guidance document, Guidance For Industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of Terms, a document common to the series of guidances on part 11. 4. Regulatory Requirements; What Does Part 11 Require? Section 11.10 requires persons to employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. To satisfy this requirement persons must, among 3
other things, employ procedures and controls that include the use of computer generated time stamps. For example: Section 11.10(e), requires controls and procedures to include the [u]se of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records..." (emphasis added). Section 11.50(a)(2) requires signed electronic records to contain information associated with the signing that clearly indicates, among other things, the date and time when the signature was executed." (emphasis added). Section 11.50(b) requires the date and time when the signature was executed to be included as part of any human readable form of the electronic record (such as electronic display or printout). 5. Key Principles and Practices 5.1. Time Stamp Accuracy Persons must use procedures and controls for time stamps under part 11 (as described above), designed to ensure, among other things, the authenticity and integrity of electronic records. Accordingly, procedures and controls should be implemented to ensure time stamps are accurate and reliable. It is extremely important for time stamps to be based on computer system clocks that are accurate and reliable. 4
5.1.1. Synchronization Computer clocks should be set correctly and continue to be set correctly. You should establish and follow procedures to ensure that computer clocks are set properly. For example, computers on a network should automatically synchronize their clocks with that of a designated network computer (e.g., as part of the process of logging on to the network). The network "master clock" or time server should, itself, be synchronized to a recognized standard computer clock. Computers not connected to a network should have their clocks synchronized to a recognized standard clock and should be periodically verified against the standard clock. 5.2. Systems Clock Security You should be able to detect inappropriate changes to computer clocks. You should establish and follow procedures to detect and deter inappropriate changes to computer clocks. For example, employees should be made aware that unauthorized changes to clock settings are serious and unacceptable actions. We believe employee training and awareness programs are especially important where computer systems lack a technical means of preventing people from changing clock settings. For example, in general, laptop computers lack a means of preventing clock changes. 5
Persons responsible for system security should periodically conduct unannounced checks of computer clocks to detect and deter unauthorized clock changes. In addition, time stamps on electronic records should be spot checked for anomalies that might indicate inappropriate clock settings. For example, if the time stamps in an audit trail show a date and time of record modification that is earlier than the date and time of record creation, this discrepancy might indicate that there have been unauthorized clock modifications. 5.3. Time Zones In the preamble to the final rule for part 11, entitled 21 CFR Part 11 Electronic Records; Electronic Signatures, we stated: [R]egarding systems that may span different time zones, the agency advises that the signer s local time is the one to be recorded. (See comment paragraph 101 in 62 Fed. Reg. 13430, at 13453 (March 20, 1997).) We have reconsidered this position, and the guidance presented here reflects our current thinking, and supersedes the position in comment 101 with respect to the time zone that should be recorded. You should implement time stamps with a clear understanding of what time zone reference you use. Systems documentation should explain time zone references as well as zone acronyms or other naming conventions. For example, the time zone reference might be a central point like Greenwich Mean Time, a point local to the computer where the activity linked to the time stamp occurs, or a point where the time stamp clock (e.g., a time stamp server) is located. 6
The time zone reference should be part of the time stamp itself and appear in human readable forms of the time stamp. In our view, this procedure would help to ensure the authenticity and integrity of the electronic record (as well as the electronic audit trail) because it potentially eliminates confusion with respect to the timing of a particular event or action that could be attributed to different time zones. We recognize, however, that you might not elect to include the time zone reference in the time stamp itself or as part of the human readable form of the time stamp. We believe this approach can be potentially problematic if records are copied or transferred within (or accessed from) different organizations, or different components of an organization, that use different time zone references. In such cases, the reader could easily become confused as to exactly what time zone reference was used. Nonetheless, if you decide to adopt this approach, you should have readily available systems documentation that clearly explains what time zone references apply, and you should establish mechanisms to ensure that the reader has a clear and accurate understanding of the correct time zone reference. For example, you might flag a record with a code that a reader could use to determine the time zone reference used. 7
5.4. Expression of Date and Time System documentation should define how date and time are expressed. For example, a date expressed as 02/03/04 might have a variety of meanings (e.g., February 3, 2004 or March 2, 2004) and without a clear indication of what convention applies, it could create confusion. Likewise, time might be expressed using 24 or 12 hour conventions (e.g., 1330 hrs, or 1:30 p.m). You should take steps to ensure that date and time expressions are clearly understood throughout an organization. As we discussed in section 5.3, Time Zones, if different parts of an organization elect to express date and time differently, the reader might become confused and draw erroneous conclusions about when events took place. It is very important for people who read the time stamp to have a clear understanding of what date and time expressions apply, especially where records in a collection express date and time differently. 5.5. Precision of Date and Time Expressions Audit trail and signature time stamps should be precise to the hour and minute. Date expressions in those stamps should indicate year, month and numerical day of the month. (Other uses of time stamps, such as controlling and monitoring a manufacturing process, are beyond the scope of this draft guidance document, but you should be aware that they might warrant different degrees of precision.) 8
6. Other Uses of Time Stamps In Electronic Recordkeeping Use of time stamps might have value in implementing other part 11 controls, although the regulation does not require time stamps as a means of achieving those controls. You might find the guidance in this draft document helpful in implementing time stamps in those other controls. Here are some examples: Limiting system access to authorized individuals (section 11.10(d)); there might be situations in which individuals are only permitted to access a system during certain times. Access might be controlled, in part, by checking a system clock as part of the log on process and recording the time stamp in an access log to document attempts at unauthorized access. Ensuring proper sequencing of events (section 11.10(f)); applying reliable automated time stamps to each event in a sequence can help demonstrate that they occurred in the proper chronological order. Documenting the time-sequenced development and modification of systems documentation (section 11.10(k)(2)); reliable time stamps can help show that systems documentation was prepared in a preestablished order. DocID:TimestampsDraftPostRESOCC.doc 2/11/02 9